WAF++ Logo WAF++
WAF++

FAQ

The most important questions about WAF++ — answered concisely. Click a question to reveal the answer.

7 Pillars Governance Documentation
Frequently Asked Questions
15 common questions

Note: WAF++ is intentionally vendor-neutral. Where it helps, we link to governance and RFCs instead of “hard” prescriptions.

1) What is WAF++ in one sentence?
WAF++ is a community-driven framework to assess cloud and platform architectures in a structured way, make decisions traceable, and implement improvements along clear guardrails.
2) Is WAF++ vendor-neutral?
Yes. WAF++ is built around principles, patterns, and standards — not around specific products or cloud providers.
3) Is WAF++ a fork of Well-Architected?
No. WAF++ uses similar thinking (e.g., guardrails and trade-offs), but extends it with governance, working groups, RFC processes, maturity/scoring approaches, and reference models.
4) Who is WAF++ for?
For platform teams, architects, security/compliance, SRE/operations, and auditors who want to make architecture quality measurable and repeatable — independent of provider and tooling.
5) What are the 7 pillars?
The pillars bundle perspectives (e.g., cost, security, reliability, sovereign). Each pillar provides guiding questions, evidence/artifact hints, and typical trade-offs.
6) Which pillars are currently available?
At the start, we prioritize Pillar 2 (Cost Optimization) and Pillar 7 (Sovereign). Additional pillars follow iteratively once content, examples, and scoring approaches have matured sufficiently.
7) What does 'Sovereign' mean in the WAF++ context?
Sovereignty includes data control, controllability, traceability, exit capability, regulatory alignment, and vendor-risk reduction — both technically and organizationally.
8) Is there a maturity model or scoring?
Yes — as a target vision. We work iteratively: first clear questions & evidence, then scoring/levels and reference models. The approach is meant to be transparent (no black-box assessments).
9) What does a typical start look like?
Start small: pick a pillar (e.g., cost), answer the guiding questions with evidence (e.g., policies, dashboards, ADRs), derive 3–5 actions, and repeat the cycle regularly.
10) How do you ensure traceability and auditability?
Through public discussions, reviews, and RFCs. Larger changes are documented as RFCs (problem, options, decision, impact) and versioned.
11) How can I contribute?
Via issues/PRs, reviews, working groups, use cases from projects/audits, examples (patterns/anti-patterns), or by supporting sessions/BoFs at conferences.
12) Do I need to contribute code to be a contributor?
No. Content, reviews, discussions, examples, translations, issue triage, and moderation are equally valuable.
13) How do you handle security topics?
Responsible disclosure: security issues are reported privately and published in a coordinated way. Details are in the repository's security policy.
14) Which license does WAF++ use?
WAF++ uses a dual-license model: Apache License 2.0 for code and CC BY 4.0 for documentation. The authoritative sources are LICENSE/NOTICE in the repository and the notes on /legal/.
15) Is there a roadmap?
Yes. We prioritize transparently and actively look for contributors for content, reviews, working groups, and real-world examples.